From 51bb01e14b11f144bc8ebef6bad351cce05f447c Mon Sep 17 00:00:00 2001 From: Jesse McConnell Date: Thu, 29 Nov 2012 11:23:16 -0600 Subject: [PATCH] decode the request uri and validate that --- .../jetty/rewrite/handler/ValidUrlRule.java | 11 +++++++---- .../jetty/rewrite/handler/ValidUrlRuleTest.java | 17 ++++++++++++++--- 2 files changed, 21 insertions(+), 7 deletions(-) diff --git a/jetty-rewrite/src/main/java/org/eclipse/jetty/rewrite/handler/ValidUrlRule.java b/jetty-rewrite/src/main/java/org/eclipse/jetty/rewrite/handler/ValidUrlRule.java index c3883cfb581..195f451bcef 100644 --- a/jetty-rewrite/src/main/java/org/eclipse/jetty/rewrite/handler/ValidUrlRule.java +++ b/jetty-rewrite/src/main/java/org/eclipse/jetty/rewrite/handler/ValidUrlRule.java @@ -23,6 +23,8 @@ import java.io.IOException; import javax.servlet.http.HttpServletRequest; import javax.servlet.http.HttpServletResponse; +import org.eclipse.jetty.util.URIUtil; + public class ValidUrlRule extends Rule { String _code = "400"; @@ -60,11 +62,12 @@ public class ValidUrlRule extends Rule @Override public String matchAndApply(String target, HttpServletRequest request, HttpServletResponse response) throws IOException { - String uri = request.getRequestURI(); - + // best to decide the request uri and validate that + String uri = URIUtil.decodePath(request.getRequestURI()); + for (int i = 0; i < uri.length(); ++i) { - if (!isPrintableChar(uri.charAt(i))) + if (!isValidChar(uri.charAt(i))) { int code = Integer.parseInt(_code); @@ -85,7 +88,7 @@ public class ValidUrlRule extends Rule return null; } - protected boolean isPrintableChar(char c) + protected boolean isValidChar(char c) { Character.UnicodeBlock block = Character.UnicodeBlock.of(c); diff --git a/jetty-rewrite/src/test/java/org/eclipse/jetty/rewrite/handler/ValidUrlRuleTest.java b/jetty-rewrite/src/test/java/org/eclipse/jetty/rewrite/handler/ValidUrlRuleTest.java index 3d45adcdce4..4513d80331a 100644 --- a/jetty-rewrite/src/test/java/org/eclipse/jetty/rewrite/handler/ValidUrlRuleTest.java +++ b/jetty-rewrite/src/test/java/org/eclipse/jetty/rewrite/handler/ValidUrlRuleTest.java @@ -50,20 +50,31 @@ public class ValidUrlRuleTest extends AbstractRuleTestCase public void testInvalidUrl() throws Exception { _rule.setCode("404"); - _request.setRequestURI("/invalid\u000c/uri.html"); + _request.setRequestURI("/invalid%0c/uri.html"); String result = _rule.matchAndApply(_request.getRequestURI(), _request, _response); assertEquals(404,_response.getStatus()); } + @Test + public void testInvalidUrl2() throws Exception + { + _rule.setCode("404"); + _request.setRequestURI("/%00/"); + + String result = _rule.matchAndApply(_request.getRequestURI(), _request, _response); + + assertEquals(404,_response.getStatus()); + } + @Test public void testCharacters() throws Exception { // space - Assert.assertTrue( _rule.isPrintableChar("\u0020".charAt(0))); + Assert.assertTrue( _rule.isValidChar("\u0020".charAt(0))); // form feed - Assert.assertFalse( _rule.isPrintableChar("\u000c".charAt(0))); + Assert.assertFalse( _rule.isValidChar("\u000c".charAt(0))); } }